We're a Baker Tilly network member
Learn more
Cybersecurity risk in water infrastructure: Understand the threat and be prepared
Article

Cybersecurity risk in water infrastructure: Understand the threat and be prepared

Over the years there have been numerous instances of cybersecurity breaches to water industry operational technologies (OT).

These breaches could have led to a range of challenges and disasters, particularly due to the widespread threat a successful breach could pose to a population. In this article, we outline some examples of recent breaches and detail what water infrastructure organisations can do to minimise their risk.

Recent water infrastructure breaches

The latest case to occur at Oldsmar, Florida in the United States could have been the closest to true disaster, with a malicious party gaining access to systems and successfully releasing dangerous amounts of sodium hydroxide from a water treatment facility. Luckily, harm was avoided by a plant worker who just happened to look at the monitor the moment the breach was happening. He saw the mouse pointer move around and change the level of sodium hydroxide while not touching the mouse himself. He quickly reversed the change to avoid a disaster and raised the alarm about this security breach.

While this incident is alarming, it is only one of numerous similar events. Some other recent examples include:

  • A leaked 2017 report from the UK’s National Cyber Security Centre stating that hackers were targeting a range of industrial control systems across energy and water industries.
  • The announcement in April 2020, that Israel’s wastewater SCADA systems were experiencing concentrated cyber-attacks, likely from a nation state.

In an environment of increased cybersecurity threats, events like those outlined above should prompt you to reflect on whether sufficient controls are in place to prevent this type of attack on your organisation.

Factors that make water industry OT vulnerable to cyber attack

In our experience, there are a number of common and emerging features of OT security design that can lead to an increased risk of cybersecurity breaches. These security design features include:

  • An increased use of remote systems for controlling, rather than just monitoring, operational technologies. While this allows organisations to achieve greater efficiencies, it can also drastically increase their cybersecurity risk if not implemented in a secure manner.
  • While attacks are at their most dangerous when systems can be remotely controlled, manipulation of monitoring signals can also pose a significant danger. A hacker could, for example, suppress alerts to hide other malicious activities or prompt an organisation to take incorrect actions to mitigate fabricated emergencies.
  • Industrial control networks with nodes sitting in remote areas with insufficient active monitoring to detect intrusions. Access to physical information technology (IT) and OT infrastructure can allow attackers to access sensitive systems directly, bypassing ‘gateway’ controls such as firewalls and segmented networks.
  • Unlike their IT counterparts, OT environments are less frequently updated and can consist of many legacy systems and devices. Quite often updates are no longer being released, making it difficult to protect these systems, particularly against new and emerging threats.
  • Transmission of data over unencrypted connections, especially wireless connections such as radio signals, may be hijacked to gain access to IT and OT environments.
  • Insufficient separation of IT and OT networks, allowing breaches of one environment to spill over into the other.

While these technical considerations are important, organisations should also consider how their culture contributes to minimising or increasing cybersecurity risk.

Foster an inquisitive culture and ensure teams are aware of the risks

A common trend we have observed is that OT engineering teams are often focused on ‘keeping the lights on’ through maintaining service availability and dealing with known issues such as asset mismanagement or failure. Availability will always be a critical factor for OT teams, but the increase in security incidents in OT environments, combined with their integration across IT networks, requires organisations to take OT cybersecurity more seriously than in the past.

In contrast, IT departments are generally experienced with maintaining security while balancing availability and ease-of-use. IT teams are, however, not always in a position to share their practices with OT teams or don’t value availability of OT environments sufficiently. This means, that while an OT team’s cybersecurity framework should be reflective of an organisation’s broader cybersecurity policy and risk appetite, the nuances of industry-specific infrastructure frequently require industry-specific security frameworks.

Establish a plan to minimise cybersecurity risks in OT environments

To minimise the cybersecurity risks in water OT environments, organisations need to take a holistic view of their company’s cybersecurity strategy, planning and control, and how it sits across both the IT and OT environment. Further, ensuring your team has a culture of making security a priority as well as maintaining operational availability is critical. This is particularly important in system design and implementation projects where teams need to involve stakeholders from multiple departments.

Another important solution that organisations can consider are utility-specific security standards, such as NIST CSF, NIST 800-82 and/or ISA/IEC 62443. These specific standards will help ensure your cybersecurity framework addresses the specific risks posed in an OT environment.

Finally, organisations should consider cybersecurity a business risk with a people, process, and technology component, like any other business risk. Implement a strong, board level governance framework that regularly monitors this risk and undertake periodic assurance activities such as security reviews and penetration testing.

Getting the right frameworks in place now will ensure your organisation’s infrastructure is protected as best as possible against cyber-attacks. If you would like to discuss your organisation’s OT cybersecurity, contact one of our cybersecurity experts below.

This content is general commentary only and does not constitute advice. Before making any decision or taking any action in relation to the content, you should consult your professional advisor. To the maximum extent permitted by law, neither Pitcher Partners or its affiliated entities, nor any of our employees will be liable for any loss, damage, liability or claim whatsoever suffered or incurred arising directly or indirectly out of the use or reliance on the material contained in this content. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.

Our experts

Andrew Beitz

Andrew Beitz

Principal Adelaide
Norman Thurecht

Norman Thurecht

Partner Brisbane
Michal Jozwik

Michal Jozwik

Partner Melbourne
Scott Edden

Scott Edden

Partner Newcastle and Hunter
Adam Irwin

Adam Irwin

Managing Partner Sydney
Pitcher Partners insights Get the latest Pitcher Partners updates direct to your inbox

Thank you for you interest

How can we help you?

Business or personal advice
General information
Career information
Media enquiries
Contact expert
Become a member
Specialist query
Please provide as much detail to ensure appropriate allocation of your query
Please highlight a realistic time frame that will enable us to provide advice within a suitable and timely manner. Please note given conflicting demands with our senior personnel, we will endeavour to respond to you within the nominated time frame. If you require an urgent response, please contact us via [email protected] or 03 8610 5477.
CPN Enquiry
Business Radar report
Student careers 2021-22
Find an expert
Search by industry